Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade utils-mail-smime dependency to 2.3.2, to resolve CVE issue in bouncycastle #506

Merged
merged 1 commit into from
Apr 23, 2024
Merged

Upgrade utils-mail-smime dependency to 2.3.2, to resolve CVE issue in bouncycastle #506

merged 1 commit into from
Apr 23, 2024

Conversation

rover886
Copy link
Contributor

latest version of the smime-module should refer to utils-mail-smime version 2.3.2.

@rover886
Update pom.xml
89656bc 
latest version of the smime-module should refer to utils-mail-smime version 2.3.2.
@rover886
Copy link
Contributor Author

Hi @bbottema we received an snyk report mentioning

✗ Observable Timing Discrepancy [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-6277382] in org.bouncycastle:bcprov-jdk15to18@1.75
introduced by org.simplejavamail:smime-module@8.1.3 > org.simplejavamail:utils-mail-smime@2.1.2 > org.bouncycastle:bcjmail-jdk15to18@1.75 > org.bouncycastle:bcprov-jdk15to18@1.75 and 2 other path(s

To resolve this we updated smime-module to 8.8.3 but it still not resolved the issue, because 8.8.3 is still referring to utils-mail-smime version 2.3.1 which again refers to version 1.75 of BC. Hence this PR is to bump up the version of utils-mail-smime to 2.3.2 which is latest and which refers to 1.78 version of BC.

@bbottema bbottema merged commit e6e4d19 into bbottema:master Apr 23, 2024
1 check passed
@bbottema
Copy link
Owner

bbottema commented Apr 23, 2024
edited

I'm in the process of updating a lot of 3rd party dependencies, to solve all transitive known CVE issues. However, I can release a patch version for you in the meantime.

@bbottema bbottema changed the title Update pom.xml Upgrade utils-mail-smime dependency to 2.3.2, to resolve CVE issue in bouncycastle Apr 23, 2024
@bbottema bbottema added this to the 8.8.4 milestone Apr 23, 2024
@bbottema
Copy link
Owner

Released in 8.8.4.

@rover886
Copy link
Contributor Author

Tons of thanks @bbottema for taking this effort to release a new version with lighting fast speed.

@rover886 rover886 deleted the patch-1 branch April 24, 2024 04:44
@rover886 rover886 mentioned this pull request Apr 25, 2024
Closed
@bbottema
Copy link
Owner

I just released 8.9.0, see details here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
3rdparty-problem Priority-Medium security
Projects
None yet
Milestone
8.8.4
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@rover886 @bbottema